Joomla! is a well-known content management system, mature enough to be used by thousands of amateur and professional Web portals. Installation is a breeze and consists of six click-next steps. However, a default Joomla! installation is not necessarily a secure one, so let's see how we can protect our portal from potential attackers.
The first rule of security when it comes to Joomla! is "update frequently," because whenever a new version comes out, it usually comprises several user-reported bug and security fixes. If your host allows it, use PHP5 instead of PHP4, because it's more advanced and offers better security.
Once your site is ready to be launched, make sure to set your configuration.php file to read-only -- a critical step that most users neglect. Change file and directory permissions --
chmod 644 for files and
chmod 755 for folders -- but be sure to keep temporary and cache directories writable, lest you get a site error.
Bear in mind that special folders used by Joomla! modules and components that deal with files are also writable. An image manipulation component that cannot upload files is useless. Within the Joomla! administration Panel go to Site -> Global Configuration, and choose the Server tab. Activate CHMOD new files to 0644 and CHMOD new directories to 0755 then apply the settings.
Don't forget to delete your installation folder from Joomla!'s root once the install is finished; you will not be able to access your site with the directory still present in your server root. Change the administrator's username from admin to something less obvious and be sure to use a good, long, hard-to-remember password. A good rule of thumb is to use a combination of lowercase and uppercase letters and numbers, at least eight characters long. Don't write it down and don't use it as a password anywhere else.
An important step in securing Joomla! is to create and configure an .htaccess file in the root of the site which decides access permissions for special directories and mod_rewrite settings, among other things. The contents of this file may vary depending on the options your hosting server provides and the components and modules you might use.
After a default Joomla! install, you'll probably see the following message when you visit the back end administration panel: "PHP register_globals setting is 'ON' instead of 'OFF'." This means that Environment, GET, POST, Cookie, and Server variables are registered as global variables. If you turn register_globals off, you can prevent variable injection attacks. You'll have to edit your php.ini file -- but there's a catch. Most hosting providers don't allow direct access to the main php.ini file. You can work around the problem by creating a php.ini file in the root directory of the site and put your lines there. In some cases it might take up to an hour for the settings to be read by the provider's servers, so be patient. Once you've done this, insert one of the following lines, depending on the PHP version the server is running (PHP 5 or PHP 4 respectively):
php_value register_globals off
register_globals = 0
There's more you can do to further harden the php.ini file. To make SQL inject attacks bounce, put the following two lines in your php.ini file:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
The first line disables URL-aware fopen wrappers that enable accessing URL object like files. The second one disables a lot of PHP functions:
- shows_source -- an alias of highlight_file() which provides syntax highlighting for files;
- system -- allows execution of external programs;
- shell_exec -- allow execution of commands via a shell;
- exec -- allow execution of commands;
- passthru -- similar to the exec() function, allows execution of commands;
- phpinfo -- outputs PHP information that could be used by potential intruders;
- popen -- opens a pipe to a process being executed by a certain command;
- proc_open -- similar to popen() but provides better control over command execution.
Thus this setting disables all means of executing commands and scripts. Again, this might cause problems with some components and modules that use PHP functions for launching commands, but their number is negligible. Look at it this way: you'll probably have to do some manual backup, but at least you'll sleep soundly at night.
To apply the lines above and secure the portal, you can use the .htaccess file. Since not all hosting providers let you use customized .htaccess files, and since some functions can be specified only in php.ini, we'll stick to using the php.ini file for inserting the restrictions. Now comes the fun part: copy the php.ini file into every subfolder of your Joomla! installation that has .php files in it. Do it after your site is finished and ready to be launched, then check if everything works as it is supposed to.
Next, as an extra measure of security, protect the administration subfolder with an .htpasswd file. In /administrator, create two new files: .htaccess and .htpasswd.
The .htaccess file should contain the following lines:
AuthName "Joomla Administrator"
Specify a username (different from the ones already registered within Joomla!) and cook up a strong password for it using an online .htpasswd generator like .htaccess Tools. Paste the output from the site -- username and encrypted password -- into the .htpasswd file, then save and reload the portal's administration page. You'll be prompted to enter a username and the password you just created, and will be granted access to the second Joomla! login screen. Be sure to use different usernames and passwords for each.
Delete temporary installation files and images you don't need from Joomla!'s subdirectories, then uninstall modules you don't plan to use. Check all installed extensions for vulnerabilities and visit Secunia's Vulnerability Database often. Visit Joomla! Forums's security category and read what others have to say and, in case of disaster, follow these guidelines. I also recommend reading the Joomla! Administrator's Security Checklist.
The key in maintaining security is to keep yourself informed. Check security lists, and update your extensions whenever new versions are launched. Also, keep in mind that fewer extensions mean less time spent securing them. Check server logs from time to time for SQL injection strings and notify your hosting provider if any serious problems should come up.